February 13th, 2013, 03:25 PM
User file Uploads to my site
I'm building a site with PHP. I'm going to allow my users to upload files and view them. What precautions should I be taking so that I can't get burned by someone uploading something that could hurt the server or may allow hacking of some kind. Let me know if this is the wrong forum to ask this question. I was having trouble trying to determine the best forum to use.
February 13th, 2013, 05:22 PM
Upload what kind of files? Can anonymous users upload or access them?
February 14th, 2013, 02:59 PM
The plan is to use a regular post HTML form to accept the file. The post process will move the file to a specific directory. Another page will allow viewing the file through a link. Technically the user will be uploading anything from pictures to Office documents and text documents. I don't know if I can actually stop them from uploading any type of file they want. I could try and check the extension or type, but that's not always going to protect me. The real question I guess is can they upload a file and execute it somehow if I'm controlling the upload and giving them a link to view it?
February 14th, 2013, 03:00 PM
I forgot to add. The user that can upload a file is controlled by me and must be logged in to be able to upload a file. Not just anyone can do it.
February 14th, 2013, 06:49 PM
If you need to allow the upload of arbitrary file types then you cannot allow direct access to the uploaded files. They need to be stored outside of the web root or inside a directory that cannot be accessed from the web. To serve the files for download, you need to implement a PHP script using something like readfile to send down the file to the user.
February 15th, 2013, 08:32 AM
Will this work for any type of file like images, PDF, and MS Office documents like Word or Excel?